Tech Law Blog

Simple Mistakes and Human Errors – What Can be Learned from Accidental Data Breaches

04 June 2014

Mason Hayes & Curran Technology Law Blog

While the technological details of securing data such as encryption, firewalls and ‘access control mechanisms’ might command the attention of data protection lawyers and industry specialists alike, many data breaches originate from simple human error. This is reflected in the case studies from the 2013 Annual Report of the Irish Data Protection Commissioner (“DPC”).

Set out below are three recurring issues in human-error-based security breaches rules which can be identified from the DPC’s 2013 Report and recent developments:

1.No personal gain

Often, a breach of data protection rules through human error will not result in any gain for the individual responsible for the breach. In one instance, the DPC highlighted the case of a voluntary organisation working with young people where a volunteer accidentally lost photocopies of passports on the return journey from a trip abroad. Another case study concerned a doctor who sent a patient’s medical file to an incorrect e-mail address as the result of a spelling error. In a different case, another doctor inadvertently disclosed a wider range of medical records about a patient to an insurance company, than the narrower set of records required for assessment by the insurer of the patient’s knee injury.

2.Junior staff mistakes

Human error is likely to occur where junior personnel have inadequate training, bad judgment or poor supervision. The DPC drew attention to a case where a data subject’s phone was stolen while out shopping at a major phone retailer. The two thieves involved subsequently convinced a trainee employee to give them the contact details of the owner so that they could ‘return’ the handset. They then appeared at the data subject’s isolated home looking for a reward for ‘finding’ the phone.

3. High cost and global prevalence

A 2014 ‘Cost of Data Breach Study’ of 341 different organisations worldwide found that 30% of data breach incidents were caused by a negligent employee or contractor – i.e. human error – rather than criminal/malicious attacks or system glitches. Human error was also the leading cause of data breaches in the UK (40% of incidents in 40 organisations studied). Furthermore, the global ‘cost per compromised record’ for companies was on average $145, but where the breach was caused by lost or stolen devices this figure increased by $16.10.

How can the problem be tackled?